Internal vulnerability scanning, a major component of PCI Compliance

  • Team Omega
  • July 15, 2016

Omega Appliance

Some merchants still believe that their Point-of-Sale (POS) vendor provides all the security they need to be Payment Card Industry (PCI) compliant. That would be an incorrect assumption.

A POS vendor is required to be Payment Application (PA-DSS) compliant, but that does not equate to PCI Data Security Standards (DSS) compliance. The commonality here is both require compliance year after year. PCI DSS stresses ongoing compliance, not just a point in time compliance.

A major requirement of PCI DSS is internal vulnerability scanning of the internal networks.

Requirement PCI 11.2.1.b questions, “Does the quarterly internal scan process include re-scans as needed until all “high-risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved?” and 11.2.1.c states, “Are quarterly internal scans performed by a qualified internal resource(s) or qualified external third party, and if applicable, does organizational independence of the tester exist (not required to be a QSA or ASV)?”[1]

What is an internal vulnerability scan?

The short and clear answer is, an internal vulnerability scan identifies real and potential vulnerabilities inside a business’s network.

The reality here is, most IT staff however big or small a business spend their time dealing with regular day-to-day issues and putting out fires. They do not have the time to look into internal vulnerabilities or deal with PCI requirements. Here’s where you will see the value of a managed security services provider like Omega ATC.

Omega’s break-through solution, the Omega Appliance  provides internal vulnerability scanning, log parsing, and monitoring, all of which satisfy some of the toughest PCI DSS requirements for a merchant to achieve.

  • The Omega Appliance is the front line data security for retail stores.
  • It’s the least bandwidth intensive way to scan.
  • It does not bog down the network with scan traffic, so staff and customers can complete their transactions unimpeded.
  • Re-scans are performed until high risk vulnerabilities are resolved.

To get more information or schedule a test of the Omega Appliance, get in touch with Omega.

In summary:

  • POS security alone does not satisfy PCI DSS compliance
  • PCI DSS requires vulnerability scanning
  • The Omega Appliance is the most effective solution in today’s market — small, powerful, and accurate.

[1] https://www.pcisecuritystandards.org/documents/SAQ_D_v3_Merchant.pdf